Trojan Downloader Attacks with Encrypted Executables

Malware investigators at antivirus firm Sophos are warning that Trojan downloaders are being used to launch a new attack in the form of wholly encrypted executables. The Trojan that Sophos has identified in the attack is Troj/Dloadr-CEX.

It, says Sophos, aims to plant a malevolent payload from online sources while dodging scanners at the network-level. The Trojan is able to accomplish this by acquiring a wholly encrypted file and then decrypting it after landing on the attacked system.

Mike W., malware Researcher at Sophos (Canada) said that when he retrieved the file manually, he found it to appear like junk. According to him, the file taken from the Internet does not reflect any known file format. Also, it would even not run in the form of an executable, said Mike W., as reported by Softpedia on February 17, 2009.

But when he allowed the Trojan to handle the downloaded content in its own way, it dramatically transformed the original junk file into a properly defined Windows PE i.e. Portable Executable file that would readily do some extra harm to the target machine, explained the researcher.

Sophos states that there is nothing new about the encrypted program, but that the malware encrypting of its own is what is new, as until now, these malicious files entering the system have been coming in the form of executables. Mike W, furthers said that the transfer of malicious software in a confusing format of an unknown file could be the malware creators' response to the idea of 'in-the-cloud' malware safeguard utility.

Meanwhile, elaborating further on it, security specialists at Sophos said that the technique tends to be non-functional when come across well-designed security applications at the network level. Although it could possibly elude ordinary gateway scanners, the technique might not be able to do much against 'in-the-cloud' antivirus products that monitor the actual events on the system instead of the file types.

Commenting on the new attack technique, the security specialists said that the malware writers had indeed proven to be innovative, while security developers need to find even newer technologies particularly for network-level defenses.